{"id":107878,"date":"2025-11-28T12:46:27","date_gmt":"2025-11-28T12:46:27","guid":{"rendered":"https:\/\/www.red-gate.com\/simple-talk\/?p=107878"},"modified":"2025-12-17T12:36:16","modified_gmt":"2025-12-17T12:36:16","slug":"practical-tips-for-securing-sql-server","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/databases\/sql-server\/practical-tips-for-securing-sql-server\/","title":{"rendered":"15 Practical Tips for Securing SQL Server"},"content":{"rendered":"\n<p>Securing <a href=\"https:\/\/www.microsoft.com\/en-gb\/sql-server\/sql-server-downloads\" target=\"_blank\" rel=\"noreferrer noopener\">SQL Server<\/a> isn&#8217;t complicated, but it does require consistent attention to the areas where real risks arise, such as privileges, configuration, encryption, patching, and monitoring. This article outlines 15 practical, high-impact steps you can take to harden your SQL Server environment. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-1-use-low-privilege-service-accounts\">1. Use Low-Privilege Service Accounts<\/h2>\n\n\n\n<p>The SQL Server service, <a href=\"https:\/\/www.red-gate.com\/simple-talk\/databases\/sql-server\/database-administration-sql-server\/get-the-most-out-of-sql-server-agent-logs\/\" target=\"_blank\" rel=\"noreferrer noopener\">SQL Agent<\/a>, <a href=\"https:\/\/www.red-gate.com\/simple-talk\/blogs\/ssis-tricks-would-know\/\" target=\"_blank\" rel=\"noreferrer noopener\">SSIS<\/a>, and other components should each run under their own low-privilege domain accounts. <\/p>\n\n\n\n<p>Avoid using LocalSystem, LocalService, or Administrator. &nbsp;<\/p>\n\n\n\n<p>Grant only the permissions required to access data\/log directories and network shares.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-2-disable-the-sa-login\">2. Disable the sa Login<\/h2>\n\n\n\n<p>If possible, disable the &#8216;<a href=\"https:\/\/www.red-gate.com\/simple-talk\/devops\/data-privacy-and-protection\/introduction-to-sql-server-security-part-4\/#the-sa-login:~:text=your%20production%20environments.-,The%20sa%20Login,-The%20sa%20login\" target=\"_blank\" rel=\"noreferrer noopener\">sa&#8217; login<\/a>.<\/p>\n\n\n\n<p>If legacy constraints force it to exist, rename it if allowed and enforce strong password policies. &nbsp;<\/p>\n\n\n\n<p>In general, prefer Windows or <a href=\"https:\/\/www.microsoft.com\/en-gb\/security\/business\/identity-access\/microsoft-entra-id\" target=\"_blank\" rel=\"noreferrer noopener\">Entra-ID<\/a> based authentication over SQL authentication.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-3-turn-off-unused-features\">3. Turn Off Unused Features<\/h2>\n\n\n\n<p>Each enabled feature increases the attack surface. Common candidates to disable include:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>SQL CLR (if not required)<\/li>\n\n\n\n<li>xp_cmdshell<\/li>\n\n\n\n<li>OLE Automation Procedures<\/li>\n\n\n\n<li>Ad Hoc Distributed Queries<\/li>\n\n\n\n<li>Cross-database ownership chaining<\/li>\n\n\n\n<li>SQL Browser (if named instance discovery isn&#8217;t required)<\/li>\n<\/ul>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-4-keep-sql-server-patched\">4. Keep SQL Server Patched<\/h2>\n\n\n\n<p>Apply patches regularly to:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>The SQL Server engine<\/li>\n\n\n\n<li>SQL components installed with <a href=\"https:\/\/learn.microsoft.com\/en-us\/ssms\/install\/install\" target=\"_blank\" rel=\"noreferrer noopener\">SSMS<\/a><\/li>\n\n\n\n<li>.NET components on the server (if Windows)<\/li>\n\n\n\n<li>The server OS<\/li>\n<\/ul>\n<\/div>\n\n\n<p>Many published SQL Server vulnerabilities rely on unpatched systems &#8211; don\u2019t let your system be one of them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-5-enforce-tls-encryption\">5. Enforce TLS Encryption<\/h2>\n\n\n\n<p>Require encrypted connections with <strong>force encryption = yes<\/strong>. &nbsp;<\/p>\n\n\n\n<p>Install valid server certificates and disable older protocols such as TLS 1.0 and 1.1. &nbsp;<\/p>\n\n\n\n<p>Use encrypted channels between availability replicas where possible.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-6-restrict-network-access\">6. Restrict Network Access<\/h2>\n\n\n\n<p>Use host-level or network firewalls to allow inbound access only from approved application servers. &nbsp;<\/p>\n\n\n\n<p>Block unnecessary outbound connections. &nbsp;<\/p>\n\n\n\n<p>Restrict the dedicated admin connection (DAC) to admin subnets.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-7-apply-least-privilege-inside-the-database\">7. Apply Least Privilege Inside the Database<\/h2>\n\n\n\n<p>Avoid using <code>db_owner<\/code> and\/or <code>sa<\/code> for application accounts. &nbsp;<\/p>\n\n\n\n<p>Instead, grant only the specific permissions required for the application&#8217;s operations. &nbsp;<\/p>\n\n\n\n<p>Use roles rather than granting permissions directly, and separate schemas for application objects. &nbsp;<\/p>\n\n\n\n<p>Avoid using built-in roles like <code>db_datareader<\/code> and <code>db_datawriter<\/code>. Whenever you assign permissions based on built-in roles, you end up often granting more permissions than are required. Instead, create user-defined roles, and assign appropriate permissions to them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-8-enable-auditing\">8. Enable Auditing<\/h2>\n\n\n\n<p>Turn on <a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/relational-databases\/security\/auditing\/sql-server-audit-database-engine?view=sql-server-ver17\" target=\"_blank\" rel=\"noreferrer noopener\">SQL Server Audit<\/a> or lightweight login auditing. Record key events such as:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>Failed and successful logins<\/li>\n\n\n\n<li>Permission changes<\/li>\n\n\n\n<li>Role membership changes<\/li>\n\n\n\n<li>Schema changes<\/li>\n\n\n\n<li>Backup and restore activity<\/li>\n<\/ul>\n<\/div>\n\n\n<p>These logs are critical for both security investigations and compliance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-9-encrypt-sensitive-data\">9. Encrypt Sensitive Data<\/h2>\n\n\n\n<p>Use a layered approach involving:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.red-gate.com\/simple-talk\/databases\/sql-server\/database-administration-sql-server\/transparent-data-encryption\/\" target=\"_blank\" rel=\"noreferrer noopener\">Transparent Data Encryption (TDE)<\/a>: protects data and log files at rest<\/li>\n\n\n\n<li>Always Encrypted: provides end-to-end protection for specific columns<\/li>\n\n\n\n<li>Encrypted backups: prevent the most common data leak vector<\/li>\n\n\n\n<li>Avoid storing encryption keys inside the same database they protect.<\/li>\n<\/ul>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-10-enforce-password-and-login-policies\">10. Enforce Password and Login Policies<\/h2>\n\n\n\n<p>If SQL logins are required, enable password and lockout policies. &nbsp;<\/p>\n\n\n\n<p>Disable or remove unused logins, and periodically check for orphaned or inactive accounts.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<section id=\"my-first-block-block_42c00602eb472278b8046b6826b007af\" class=\"my-first-block alignwide\">\n    <div class=\"bg-brand-600 text-base-white py-5xl px-4xl rounded-sm bg-gradient-to-r from-brand-600 to-brand-500 red\">\n        <div class=\"gap-4xl items-start md:items-center flex flex-col md:flex-row justify-between\">\n            <div class=\"flex-1 col-span-10 lg:col-span-7\">\n                <h3 class=\"mt-0 font-display mb-2 text-display-sm\">Ensure your SQL Server security with Redgate Monitor<\/h3>\n                <div class=\"child:last-of-type:mb-0\">\n                                            Optimize performance, ensure security, and mitigate potential risks with fast deep-dive analysis, intelligent alerting, and AI-powered insights.                                    <\/div>\n            <\/div>\n                            <a href=\"https:\/\/www.red-gate.com\/products\/redgate-monitor\/\" class=\"btn btn--secondary btn--lg\">Learn more &amp; try for free<\/a>\n                    <\/div>\n    <\/div>\n<\/section>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-11-configure-kerberos-correctly\">11. Configure Kerberos Correctly<\/h2>\n\n\n\n<p>Set service principal names (SPNs) for SQL Server services so that clients authenticate using <a href=\"https:\/\/www.red-gate.com\/simple-talk\/databases\/sql-server\/database-administration-sql-server\/questions-about-kerberos-and-sql-server-that-you-were-too-shy-to-ask\/\" target=\"_blank\" rel=\"noreferrer noopener\">Kerberos<\/a> instead of falling back to <a href=\"https:\/\/www.crowdstrike.com\/en-gb\/cybersecurity-101\/identity-protection\/windows-ntlm\/\" target=\"_blank\" rel=\"noreferrer noopener\">NTLM<\/a>. &nbsp;<\/p>\n\n\n\n<p>This is especially important for:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>Linked servers<\/li>\n\n\n\n<li>Multi-tier applications<\/li>\n\n\n\n<li>Reporting Services (or <a href=\"https:\/\/www.microsoft.com\/en-us\/power-platform\/products\/power-bi\/report-server\" target=\"_blank\" rel=\"noreferrer noopener\">Power BI Report Server<\/a>) and Integration Services<\/li>\n<\/ul>\n<\/div>\n\n\n<p>Wherever possible, when working with Microsoft <a href=\"https:\/\/www.techtarget.com\/searchcloudcomputing\/definition\/Windows-Azure\" target=\"_blank\" rel=\"noreferrer noopener\">Azure<\/a> or <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-arc\/overview\" target=\"_blank\" rel=\"noreferrer noopener\">Azure-Arc<\/a>, try to use system or user-assigned managed identities. SQL Server 2025 has <a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/sql-server\/azure-arc\/managed-identity?view=sql-server-ver17\" target=\"_blank\" rel=\"noreferrer noopener\">expanded support<\/a> in this area.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-12-secure-backup-storage\">12. Secure Backup Storage<\/h2>\n\n\n\n<p>Backups often contain entire sensitive datasets. Keep them encrypted and stored in restricted locations. &nbsp;<\/p>\n\n\n\n<p>Avoid leaving <code>.bak<\/code> or <code>.trn<\/code> files on shared or temporary directories. &nbsp;<\/p>\n\n\n\n<p>Use separate credentials to access backup destinations. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-13-monitor-and-baseline-activity\">13. Monitor and Baseline Activity<\/h2>\n\n\n\n<p>Monitor for unusual patterns such as: &nbsp;<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>Spikes in failed logins<\/li>\n\n\n\n<li>Unexpected login or role changes<\/li>\n\n\n\n<li>Unusual schema modifications<\/li>\n\n\n\n<li>Large or unusual data exports<\/li>\n\n\n\n<li>Sudden tempdb or memory changes<\/li>\n<\/ul>\n<\/div>\n\n\n<p>Tools such as <a href=\"https:\/\/www.red-gate.com\/simple-talk\/databases\/sql-server\/database-administration-sql-server\/extended-events-workbench\/\" target=\"_blank\" rel=\"noreferrer noopener\">Extended Events<\/a>, <a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/relational-databases\/performance\/monitoring-performance-by-using-the-query-store?view=sql-server-ver17\" target=\"_blank\" rel=\"noreferrer noopener\">Query Store<\/a>, SQL Server Audit, and <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/defender-for-cloud\/defender-for-sql-introduction\" target=\"_blank\" rel=\"noreferrer noopener\">Defender for SQL<\/a> are useful here. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-14-harden-the-operating-system\">14. Harden the Operating System<\/h2>\n\n\n\n<p>SQL Server is only as secure as its operating system host. &nbsp;<\/p>\n\n\n\n<p>Disable unused OS services, apply OS-level security controls, patch regularly, and restrict interactive logon access. &nbsp;<\/p>\n\n\n\n<p>Avoid any web browsing or user applications on SQL Server machines. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-15-restrict-access-to-the-host\">15. Restrict Access to the Host<\/h2>\n\n\n\n<p>Use <a href=\"https:\/\/www.ssh.com\/academy\/iam\/jump-server\" target=\"_blank\" rel=\"noreferrer noopener\">jump servers<\/a> or <a href=\"https:\/\/michael-kehoe.io\/post\/bastion-hosts\/\" target=\"_blank\" rel=\"noreferrer noopener\">bastion hosts<\/a> for administrative access where possible. Only DBAs and system administrators should <a href=\"https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/windows-server\/remote\/understanding-remote-desktop-protocol\" target=\"_blank\" rel=\"noreferrer noopener\">RDP<\/a> into SQL Server hosts, and only if no other option is available. &nbsp;<\/p>\n\n\n\n<p>Reduce the footprint of tools installed on the server.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-summary-amp-learn-more\">Summary &amp; Learn More<\/h2>\n\n\n\n<p>These 15 steps cover the areas that matter most in real SQL Server environments. No list is comprehensive but taken together, these steps reduce attack surface, improve auditing visibility, and safeguard both the engine and the data it manages.<\/p>\n\n\n\n<p>For longer, more in-depth guides to SQL Server security, you may be interested in our <a href=\"https:\/\/www.red-gate.com\/simple-talk\/blogs\/sql-server-security-primer\/\" target=\"_blank\" rel=\"noreferrer noopener\">SQL Server Security Primer<\/a> (2023) and our 2019 <a href=\"https:\/\/www.red-gate.com\/simple-talk\/devops\/data-privacy-and-protection\/introduction-to-sql-server-security-part-1\/\" target=\"_blank\" rel=\"noreferrer noopener\">Introduction to SQL Server Security<\/a> series.<\/p>\n\n\n\n<p><strong>UPDATE 12\/8\/2025:<\/strong> Over on <a href=\"https:\/\/www.sqlservercentral.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">SQL Server Central<\/a>, in response to this article, site editor <strong>Steve Jones<\/strong> asks the question: <a href=\"https:\/\/www.sqlservercentral.com\/editorials\/your-security-checkup\" target=\"_blank\" rel=\"noreferrer noopener\">how many of you perform security checkups on your systems?<\/a> We&#8217;d love to hear your thoughts!<\/p>\n\n\n\n<section id=\"my-first-block-block_31962d28ddc553d7c627e99d31258177\" class=\"my-first-block alignwide\">\n    <div class=\"bg-brand-600 text-base-white py-5xl px-4xl rounded-sm bg-gradient-to-r from-brand-600 to-brand-500 red\">\n        <div class=\"gap-4xl items-start md:items-center flex flex-col md:flex-row justify-between\">\n            <div class=\"flex-1 col-span-10 lg:col-span-7\">\n                <h3 class=\"mt-0 font-display mb-2 text-display-sm\">Subscribe to the Simple Talk newsletter<\/h3>\n                <div class=\"child:last-of-type:mb-0\">\n                                            Get selected articles, event information, podcasts and other industry content delivered straight to your inbox every two weeks.                                    <\/div>\n            <\/div>\n                            <a href=\"https:\/\/www.red-gate.com\/simple-talk\/subscribe\/\" class=\"btn btn--secondary btn--lg\">Subscribe now<\/a>\n                    <\/div>\n    <\/div>\n<\/section>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>15 practical, high-impact steps for securing your SQL Server environment.&hellip;<\/p>\n","protected":false},"author":346483,"featured_media":106674,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[143523,53,143530,46,143524],"tags":[4168,4619,5765,4150,4151],"coauthors":[159368],"class_list":["post-107878","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-databases","category-featured","category-security","category-security-and-compliance","category-sql-server","tag-database","tag-security","tag-security-and-compliance","tag-sql","tag-sql-server"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/107878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/346483"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=107878"}],"version-history":[{"count":7,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/107878\/revisions"}],"predecessor-version":[{"id":108139,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/107878\/revisions\/108139"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media\/106674"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=107878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=107878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=107878"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=107878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}